Find notable cyber news and cases, enriched with sources, timelines, and signals.

Contagious Interview campaign uses malicious VS Code projects to deliver backdoors

Campaign
First reported
Last updated
Happening score
H score 23
2 unique sources, 6 articles

Summary

Hide ▲

The Contagious Interview campaign now also includes a Fake Font sub-campaign that uses hijacked npm packages and 16 Go packages to deliver a Python infostealer on Windows, Linux, and macOS. The malware hides execution in a VS Code task that runs when a folder opens, retrieves stages from blockchain transaction data and TronGrid/Aptos, then sets up a Socket.io backdoor and steals credentials, wallets, and developer artifacts. The activity is tied to North Korean threat actors and continues to target developers with trusted-looking software supply chain abuse.

Related Happenings

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

How related: "The package hides execution inside a VS Code task, configured to run automatically when the project folder is opened in VS Code. From there, the malware retrieves encrypted JavaScript from blockchain transaction data, connects to attacker-controlled infrastructure, launches a socket.io backdoor, and eventually deploys a Python infostealer."

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret

Campaign
H score9 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...

North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale

Threat Actor Meta
H score31 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

About this happening: North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...

Contagious Interview UNK_DeadDrop GitHub phishing campaign

Campaign
H score37 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

About this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...

UNK_DeadDrop developer phishing campaign using fake job and code-review lures

Campaign
H score30 First: 08.06.2026 18:00 Last: 08.06.2026 18:00 Sources 1

About this happening: A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...

Timeline

  1. 02.03.2026 10:44 3 articles · 4mo ago

    Contagious Interview adds malicious npm packages and Pastebin-based Vercel C2

    Campaign Scope Update

    North Korean Contagious Interview operators published 26 malicious npm packages to the npm registry, using install.js and vendor/scrypt-js/version.js to pull steganographically hidden C2 locations from Pastebin and Vercel-hosted infrastructure. The chain used ext-checkdin.vercel[.]app and 103.106.67[.]63:1244/1247 to deliver a cross-platform RAT and modules for VS Code persistence, keylogging, browser credential theft, TruffleHog secret scanning, and Git and SSH key exfiltration.

    Show sources
  2. 20.01.2026 20:41 3 articles · 5mo ago

    Contagious Interview uses malicious VS Code projects against developers

    Technical Analysis Update

    North Korean actors tied to Contagious Interview targeted developers with malicious Microsoft Visual Studio Code (VS Code) projects and cloned Git repositories that trigger tasks.json processing, runOn: folderOpen execution, and Vercel-hosted JavaScript payloads. The chain includes a macOS path using nohup bash -c with curl -s, a remote server at ip-regions-check.vercel[.]app, and follow-on payloads associated with BeaverTail, InvisibleFerret, Tsunami, TsunamiKit, XMRig, AnyDesk, and the malicious npm dependency grayavatar, enabling backdoor access, remote code execution, fingerprinting, keylogging, screenshots, and cryptocurrency mining.

    Show sources